The cyberexploitation analog to damage assessment for cyberattack might be termed effectiveness assessment. If a cyberexploitation does not report back to its controller, it has failed. But even if it does report back, it may not have succeeded. For cyberexploitation, the danger is that it has been discovered and that somehow the adversary has provided false or misleading information that is then reported back. Alternatively, the adversary may have compromised the report-back channel itself and inserted its own message that is mistaken for an authentic report-back message. (In a worst-case scenario, the adversary may use the report-back channel as a vehicle for conducting its own cyberattack or cyberexploitation against the controller.)
These scenarios for misdirection are not unique to cyberexploitation, of course—they are possible in ordinary espionage attempts as well. But because it is likely to be difficult for an automated agent to distinguish between being present on a “real” target versus being present on a “decoy” target, concerns about misdirection in a cyberexploitation context are all too real.
In contemplating what to do about an adversary computer or network, decision makers have essentially two options—render it unavailable for serving adversary purposes or exploit it to gather useful information. In many cases, these two options are mutually exclusive—destroying it makes it impossible to exploit it. In some cases, destroying it may also reveal to the adversary some vulnerability or access path previously unknown to him, and thus compromise friendly sources and methods.
These tradeoffs are no less present in cyberattack and cyberexploitation. But in some ways, the tradeoffs may be easier to manage. For example, because a given instrument for cyberexploitation can be designed with cyberattack capabilities, the transition between exploitation and attack may be operationally simpler. Also, a cyberattack may be designed to corrupt or degrade a system slowly—and exploitation is possible as long as the adversary does not notice the corruption.
To provide a sense of what might be possible through cyberattack and cyberexploitation, it is useful to consider some of the ways in which criminals have used them. A number of such cases are described in Appendix C,